Using Security Onion to Review Suspicious Network Traffic

Brad Duncan, ISC Handler

Wednesday, July 26th, 8:15pm - 9:15pm

Malicious network traffic is often difficult for security professionals to recognize without the help of an intrusion detection system (IDS) or and other security tools. The Security Onion Linux distro is an outstanding resource that can help people analyze suspicious network traffic.

In this presentation, ISC Handler Brad Duncan discusses how he first discovered Security Onion in 2013 and how he has used it since then. He covers how to use Security Onion in a lab environment to test traffic from exploit kits and links or attachments from malicious spam. Brad also covers how to set up Security Onion to monitor live traffic in a physical or virtual research environment. Such environments provide an excellent way to review network traffic or examine malware from infected Windows hosts.

Speaker Bio: Brad Duncan specializes in network traffic analysis and exploit kit detection. After more than 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010. He is currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad is also a handler for the Internet Storm Center (ISC) and has authored more than 80 diaries at isc.sans.edu. He routinely blogs technical details of infection traffic at www.malware-traffic-analysis.net. Brad also publishes blog articles for Palo Alto Networks at http://researchcenter.paloaltonetworks.com/author/bduncan/.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.

Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.